What is a polymorphic virus?

A POLYMORPHIC virus is one that produces varied but operational copies of itself. These strategies have been employed in the hope that virus scanners (see D1) will not be able to detect all instances of the virus. One method of evading scan string-driven virus detectors is self- encryption with a variable key. These viruses (e.g. Cascade) are not termed "polymorphic", as their decryption code is always the same. Therefore the decryptor can be used as a scan string by the simplest scan string-driven virus scanners (unless another virus uses the identical decryption routine *and* exact identification (see B15) is required). A technique for making a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A scan string-driven virus scanner would have to exploit several scan strings (one for each possible decryption method) to reliably identify a virus of this kind.